Starting last Summer, there has been quite a dust-up
over the way Gecko handles certs.
[url]http://google.com/search?q=cache:8lx1VCVm4jwJ:slashdot.org/article.pl?sid=08/08/04/0058217+*-website-*-using-*-self-signed-*.*.*.*.*-*.*-*.*+*-*-bundle-*-*-*-*-*+migrate-away-*-*.*-*+hey-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*+*-pretending+*-*-little-sense+not-just-*-paying-customers+*-*-*-*-*-*-*.*.*.*.*.*-*.and-no-certificate+*-click-four-times-*-*-*-*-*-*-*-*+*-*-almost-useless-*-*-*-*+inc+inc+inc+looks.MORE.scary.and.LESS.secure#24465811[/url]

The Mozilla Foundation has caught Hell for it.
Mostly it's a lot of scaremongering on the part of the Gecko guys.

A number of the **pre-approved** CAs are steaming piles of fraud.
The certificates from many of those (which you accept by default)...
[url]http://google.com/search?q=cache:sUyg-LAHMs4J:ask.slashdot.org/article.pl?sid=08/07/18/1721234+authorized+Mozilla+Thats-more-*-*-*+*-*-*-*-*-*-throwaway-address+*-*-*-scammer-*-*-*-*+no.difference+verification+supposed+hypothetical+exploited+*-difference-*-*-key-*-*-*+free+*-*-*-*-*-audited-*-*-*-*-*-*-*-*-*-*-*+*-nothing+Verisign+rss+actual+gentle+validated-to-your-*-identity+loose+accountability+StartSSL+CACert#24246653[/url]

(different spot on the same page)
[url]http://google.com/search?q=cache:sUyg-LAHMs4J:ask.slashdot.org/article.pl?sid=08/07/18/1721234+authorized+Mozilla+Thats-more-*-*-*+*-*-*-*-*-*-throwaway-address+*-*-*-scammer-*-*-*-*+no.difference+verification+supposed+hypothetical+exploited+*-difference-*-*-key-*-*-*+free+*-*-*-*-*-audited-*-*-*-*-*-*-*-*-*-*-*+*-nothing+Verisign+rss+actual+gentle+validated-to-your-*-identity+loose+accountability+StartSSL+CACert#24247037[/url]

....are actually WORSE than the ones from CACert.
(another spot on that page)
[url]http://google.com/search?q=cache:sUyg-LAHMs4J:ask.slashdot.org/article.pl?sid=08/07/18/1721234+authorized+Mozilla+Thats-more-*-*-*+*-*-*-*-*-*-throwaway-address+*-*-*-scammer-*-*-*-*+no.difference+verification+supposed+hypothetical+exploited+*-difference-*-*-key-*-*-*+free+*-*-*-*-*-audited-*-*-*-*-*-*-*-*-*-*-*+*-nothing+Verisign+rss+actual+gentle+validated-to-your-*-identity+loose+accountability+StartSSL+CACert#24247167[/url]

....and as has been mentioned,
CACert is on the cusp of being included by default.